This week, 70 total vulnerabilities emerged in public disclosure. They may affect over one million WordPress sites. There are 36 plugin vulnerabilities that have security patches available, so run those updates!
Additionally, there are 33 plugin vulnerabilities and one theme vulnerability with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.
WordPress Core Vulnerabilities — Patched
WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.
WordPress Plugin Vulnerabilities — Patched
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!
These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
Formidable Forms

- Plugin Slug
- formidable
- Installations
- 300,000+
- Vulnerability
- Auth. Remote Code Execution (RCE)
- Patched in Version
- 6.3.1
- Severity Score
- Critical
- CVE
- 2023-2877
Chaty

- Plugin Slug
- chaty
- Installations
- 200,000+
- Vulnerability
- Authenticated Stored Cross Site Scripting (XSS)
- Patched in Version
- 3.1.2
- Severity Score
- Medium
- CVE
- 2023-3245
Ultimate Member

- Plugin Slug
- ultimate-member
- Installations
- 200,000+
- Vulnerability
- Unauthenticated Privilege Escalation
- Patched in Version
- 2.6.7
- Severity Score
- Critical
- CVE
- 2023-3460
EmbedPress

- Plugin Slug
- embedpress
- Installations
- 80,000+
- Vulnerability
- Sensitive Data Exposure
- Patched in Version
- 3.8.0
- Severity Score
- Medium
- CVE
- 2023-3371
Login/Signup Popup

- Plugin Slug
- easy-login-woocommerce
- Installations
- 30,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.4
- Severity Score
- Medium
Social Login and Register

- Plugin Slug
- miniorange-login-openid
- Installations
- 30,000+
- Vulnerability
- Authentication Broken Authentication
- Patched in Version
- 7.6.5
- Severity Score
- Critical
- CVE
- 2023-2982
Subscribe2

- Plugin Slug
- subscribe2
- Installations
- 30,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 10.41
- Severity Score
- Medium
- CVE
- 2023-1844
Subscribe2

- Plugin Slug
- subscribe2
- Installations
- 30,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 10.41
- Severity Score
- Medium
- CVE
- 2023-3407
Contact Form & Lead Form Elementor Builder

- Plugin Slug
- lead-form-builder
- Installations
- 20,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.8.5
- Severity Score
- Medium
- CVE
- 2023-25969
Supsystic Popup

- Plugin
- Popup by Supsystic
- Plugin Slug
- popup-by-supsystic
- Installations
- 20,000+
- Vulnerability
- Prototype Pollution
- Patched in Version
- 1.10.19
- Severity Score
- High
- CVE
- 2023-3186
WPGraphQL

- Plugin
- WPGraphQL
- Plugin Slug
- wp-graphql
- Installations
- 20,000+
- Vulnerability
- Server Side Request Forgery (SSRF)
- Patched in Version
- 1.14.6
- Severity Score
- Medium
- CVE
- 2023-23684
WP ERP

- Plugin Slug
- erp
- Installations
- 9,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 1.12.4
- Severity Score
- High
- CVE
- 2023-2743
Active Directory Integration / LDAP Integration

- Plugin Slug
- ldap-login-for-intranet-sites
- Installations
- 5,000+
- Vulnerability
- Unauthenticated LDAP Injection
- Patched in Version
- 4.1.6
- Severity Score
- High
- CVE
- 2023-3447
MStore API

- Plugin
- MStore API
- Plugin Slug
- mstore-api
- Installations
- 5,000+
- Vulnerability
- Unauth. SQL Injection
- Patched in Version
- 4.0.2
- Severity Score
- Critical
- CVE
- 2023-3197
Poll Maker

- Plugin Slug
- poll-maker
- Installations
- 5,000+
- Vulnerability
- Server Side Request Forgery (SSRF)
- Patched in Version
- 4.6.3
- Severity Score
- Medium
- CVE
- 2023-34013
Th Product Compare

- Plugin Slug
- th-product-compare
- Installations
- 5,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.2.6
- Severity Score
- Medium
- CVE
- 2023-25969
Waitlist WooCommerce ( Back in stock notifier )

- Plugin Slug
- waitlist-woocommerce
- Installations
- 5,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.5.3
- Severity Score
- Medium
Short URL

Short URL

- Plugin
- Short URL
- Plugin Slug
- shorten-url
- Installations
- 2,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 1.6.5
- Severity Score
- High
- CVE
- 2022-46860
WP Inventory Manager

- Plugin
- WP Inventory Manager
- Plugin Slug
- wp-inventory-manager
- Installations
- 2,000+
- Vulnerability
- Inventory Items Deletion via Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.1.0.14
- Severity Score
- Medium
- CVE
- 2023-2842
Kanban Boards for WordPress

- Plugin Slug
- kanban
- Installations
- 1,000+
- Vulnerability
- Auth. Stored Cross Site Scripting (XSS)
- Patched in Version
- 2.5.21
- Severity Score
- Medium
- CVE
- 2023-0873
Request a Quote

- Plugin
- Request a Quote
- Plugin Slug
- request-a-quote
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.3.11
- Severity Score
- Medium
LiquidPoll

- Plugin Slug
- wp-poll
- Installations
- 1,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 3.3.69
- Severity Score
- Medium
- CVE
- 2023-36531
Front User Submit / Front Editor

- Plugin Slug
- front-editor
- Installations
- 200+
- Vulnerability
- Auth. Stored Cross Site Scripting (XSS)
- Patched in Version
- 3.8.5
- Severity Score
- Medium
TrustProfile
- Plugin Slug
- trustprofile
- Installations
- 200+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.25
- Severity Score
- Medium
Knowledge Center

- Plugin Slug
- knowledge-center
- Installations
- 20+
- Vulnerability
- Authenticated Cross Site Scripting (XSS)
- Patched in Version
- 2.8
- Severity Score
- Medium
Catalyst Connect Zoho CRM Client Portal

- Plugin Slug
- catalyst-connect-client-portal
- Installations
- 10+
- Vulnerability
- Auth. Stored Cross Site Scripting (XSS)
- Patched in Version
- 2.1.0
- Severity Score
- Medium
- CVE
- 2022-44629
ARMember
- Plugin
- ARMember
- Plugin Slug
- armember-membership
- Vulnerability
- Stored Cross Site Scripting (XSS) on Common Messages Settings
- Patched in Version
- 4.0.5
- Severity Score
- Medium
- CVE
- 2022-47421
AutomateWoo
- Plugin
- AutomateWoo
- Plugin Slug
- automatewoo
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 5.7.6
- Severity Score
- Medium
- CVE
- 2023-36513
AutomateWoo
- Plugin
- AutomateWoo
- Plugin Slug
- automatewoo
- Vulnerability
- Broken Access Control
- Patched in Version
- 5.7.6
- Severity Score
- Medium
- CVE
- 2023-36512
Houzez CRM
- Plugin
- Houzez CRM
- Plugin Slug
- houzez-crm
- Vulnerability
- SQL Injection
- Patched in Version
- 1.3.5
- Severity Score
- Critical
- CVE
- 2023-36529
Salon Booking System
- Plugin
- Salon booking system
- Plugin Slug
- salon-booking-system
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 8.4.8
- Severity Score
- Medium
- CVE
- 2023-3427
LearnDash LMS
- Plugin
- LearnDash LMS
- Plugin Slug
- sfwd-lms
- Vulnerability
- Authenticated IDOR to Account Takeover
- Patched in Version
- 4.6.0.1
- Severity Score
- High
- CVE
- 2023-3105
WooCommerce Order Barcodes
- Plugin
- WooCommerce Order Barcodes
- Plugin Slug
- woocommerce-order-barcodes
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.6.5
- Severity Score
- Medium
- CVE
- 2023-36511
WooCommerce Ship to Multiple Addresses
- Plugin
- WooCommerce Ship to Multiple Addresses
- Plugin Slug
- woocommerce-shipping-multiple-addresses
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.8.6
- Severity Score
- Medium
- CVE
- 2023-36514
WP Post Author
- Plugin
- WP Post Author
- Plugin Slug
- wp-post-author
- Vulnerability
- Privilege Escalation
- Patched in Version
- 3.3.0
- Severity Score
- Critical
WordPress Plugin Vulnerabilities — Unpatched
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
Side Cart Woocommerce

- Plugin Slug
- side-cart-woocommerce
- Installations
- 60,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-28415
Enhanced Text Widget

- Plugin
- Enhanced Text Widget
- Plugin Slug
- enhanced-text-widget
- Installations
- 50,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23823
Duplicate Post Page Menu & Custom Post Type

- Plugin Slug
- duplicate-post-page-menu-custom-post-type
- Installations
- 30,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36526
Zippy

- Plugin
- Zippy
- Plugin Slug
- zippy
- Installations
- 10,000+
- Vulnerability
- PHP Object Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36381
Form Builder

- Plugin Slug
- contact-form-add
- Installations
- 6,000+
- Vulnerability
- CSV Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23796
Enable SVG, WebP & ICO Upload

- Plugin Slug
- enable-svg-webp-ico-upload
- Installations
- 6,000+
- Vulnerability
- Auth. Stored Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2143
SW Product Bundles

- Plugin
- SW Product Bundles
- Plugin Slug
- sw-product-bundles
- Installations
- 6,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36519
ApplyOnline – Application Form Builder and Manager

- Plugin Slug
- apply-online
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-24391
Email download link

- Plugin
- Email download link
- Plugin Slug
- email-download-link
- Installations
- 5,000+
- Vulnerability
- Sensitive Data Exposure
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36523
Post Hit Counter

- Plugin
- Post Hit Counter
- Plugin Slug
- post-hit-counter
- Installations
- 3,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36518
Layer Slider

- Plugin
- Layer Slider
- Plugin Slug
- slider-slideshow
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23798
WooCommerce Google Sheet Connector

- Plugin Slug
- wc-gsheetconnector
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2329
WCP OpenWeather

- Plugin
- WCP OpenWeather
- Plugin Slug
- wcp-openweather
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-25471
WP Abstracts

- Plugin
- WP Abstracts
- Plugin Slug
- wp-abstracts-manuscripts-manager
- Installations
- 400+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36517
WP Abstracts

- Plugin
- WP Abstracts
- Plugin Slug
- wp-abstracts-manuscripts-manager
- Installations
- 400+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-28692
Post to CSV by BestWebSoft

- Plugin Slug
- post-to-csv
- Installations
- 300+
- Vulnerability
- CSV Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36527
Caldera Forms Google Sheets Connector

- Plugin Slug
- gsheetconnector-caldera-forms
- Installations
- 200+
- Vulnerability
- Access Code Update via Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2330
Autochat

- Plugin Slug
- auyautochat-for-wp
- Installations
- 70+
- Vulnerability
- Unauth. Stored Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-3041
Quiz Expert

- Plugin Slug
- quiz-expert
- Installations
- 50+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36522
AN_GradeBook
- Plugin
- AN_GradeBook
- Plugin Slug
- an-gradebook
- Vulnerability
- Authenticated SQL Injection
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-2636
Booked
- Plugin
- Booked
- Plugin Slug
- booked
- Vulnerability
- Unauth. Appointment Data Exposure
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-36399
Editorial Calendar
- Plugin
- Editorial Calendar
- Plugin Slug
- editorial-calendar
- Vulnerability
- Auth. Stored Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-4115
Editorial Calendar
- Plugin
- Editorial Calendar
- Plugin Slug
- editorial-calendar
- Vulnerability
- Insecure Direct Object References (IDOR)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36520
File Manager Advanced Shortcode
- Plugin
- File Manager Advanced Shortcode
- Plugin Slug
- file-manager-advanced-shortcode
- Vulnerability
- Unauth. Remote Code Execution (RCE)
- Patched in Version
- No Fix
- Severity Score
- Critical
- CVE
- 2023-2068
Image Map Pro Lite
- Plugin
- Image Map Pro
- Plugin Slug
- image-map-pro-lite
- Vulnerability
- Cross-Site Request Forgery to Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-3411
Image Map Pro
- Plugin
- Image Map Pro
- Plugin Slug
- image-map-pro-lite
- Vulnerability
- Missing Authorization to Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-3412
Noo Timetable
- Plugin
- NOO Timetable
- Plugin Slug
- noo-timetable
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-45828
Noo Timetable
- Plugin
- NOO Timetable
- Plugin Slug
- noo-timetable
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-45821
SP Project & Document Manager
- Plugin
- SP Project & Document Manager
- Plugin Slug
- sp-client-document-manager
- Vulnerability
- Auth. Insecure Direct Object References (IDOR)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-3063
SP Project & Document Manager
- Plugin
- SP Project & Document Manager
- Plugin Slug
- sp-client-document-manager
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-36677
SP Project & Document Manager
- Plugin
- SP Project & Document Manager
- Plugin Slug
- sp-client-document-manager
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36530
Web3
- Plugin
- Web3 – Crypto wallet Login & NFT token gating
- Plugin Slug
- web3-authentication
- Vulnerability
- Authentication Bypass Vulnerability
- Patched in Version
- No Fix
- Severity Score
- Critical
- CVE
- 2023-3249
WPJobBoard
- Plugin
- WPJobBoard
- Plugin Slug
- wpjobboard
- Vulnerability
- Unauth. Blind SQL Injection
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-36525
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.
The7 — Website and eCommerce Builder for WordPress
- Theme
- The7
- Theme Slug
- dt-the7
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32123
Never worry about running a vulnerable plugin or theme again.
As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.
The Best WordPress Security Plugin to Secure & Protect WordPress Sites
WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.